## Definitions:

### Primitive root of unity
Any complex number that yields 1 when raised to some positive integer power n.
1. $ \zeta^n = 1 $
2. $ \zeta^k \neq 1 $ for all integers $ k $ such that $ 0 < k < n $.

$\zeta^n = e^{i(2\pi \frac{k}{n})}$

For 2N-th roots of unity, this means any number $\zeta$ that satisfies $\zeta^{2N}=1$

### Cyclotomic Polynomial
A **cyclotomic polynomial** is a special type of polynomial defined as the unique irreducible polynomial with integer coefficients whose roots are the **primitive roots of unity** $e^{i(2\pi\frac{k}{n})}$, where k runs over the positive integers less than n and coprime to n. The formula is equal to:

$$
\Phi_{n}(x) = \prod_{\substack{1 \leq k \leq n \\ \gcd(k, n) = 1}} \left(x - e^{2i\pi \frac{k}{n}}\right)
$$

**Special Case**: $\Phi_M(X) = X^N + 1$

The specific form $\Phi_M(X) = X^N + 1$ arises when:

- $M = 2N$, i.e., $M$ is an even number and M is a power of 2.
- The roots of $\Phi_{2N}(X)$ are the primitive $2N$-th roots of unity.


#### 2.1. Roots of $X^N + 1$

The equation $X^N + 1 = 0$ has $N$ distinct roots in the complex plane. These roots are the **odd powers** of $\xi$, a primitive $2N$-th root of unity:

$$
\xi = e^{2\pi i / (2N)}, \quad \text{so } \xi^{2k+1} \text{ for } k = 0, 1, \dots, N-1.
$$



#### 2.2. Factorization

The polynomial $X^N + 1$ factors as:

$$
X^N + 1 = \prod_{k=0}^{N-1} \left( X - \xi^{2k+1} \right),
$$

where $\xi^{2k+1}$ are the odd powers of the primitive $2N$-th root of unity $\xi$.



#### 2.3. Minimal Polynomial

When $M = 2N$, the primitive $2N$-th roots of unity are precisely the roots of $X^N + 1$. Hence, the minimal polynomial of the primitive $2N$-th roots of unity is:

$$
\Phi_{2N}(X) = X^N + 1.
$$


### Isomorphism

An isomorphism between two algebraic structures is a bijective homomorphism.

**Addition Preservation**:
$\sigma(m1 + m2) = \sigma(m1) + \sigma(m2)$

**Multiplication Preservation**:
$\sigma(m1 * m2) = \sigma(m1) \circ \sigma(m2)$

- Injectivity: No two distinct polynomials map to the same vector under σ.
- Surjectivity: Every vector in ${C^N}$ (satisfying the necessary properties) is the image of some polynomial under σσ.




## Plaintext Encoding and Decoding

### Canonical embedding $\sigma:$

#### $\sigma^{-1}$:
Find a polynomial $m(X) = \sum_{i=0}^{N-1} \alpha_i X^i \in \mathbb{C}[X]/(X^N + 1)$, given a vector $z \in \mathbb{C}^N$, such that $\sigma(m) = (m(\xi), m(\xi^3), \ldots, m(\xi^{2N-1})) = (z_1, \ldots, z_N)$ where $\xi_M$, the $M$-th root of unity: $\xi_M = e^{2i\pi/M}$. So we get:
$\sum_{j=0}^{N-1} \alpha_j (\xi^{2i-1})^j = z_i, \; i = 1, \ldots, N.$

This can be viewed as a linear equation:

$A\alpha = z$, with $A$ the Vandermonde matrix of the $(\xi^{2i-1})_{i=1,\ldots,N}$, $\alpha$ the vector of the polynomial coefficients, and $z$ the vector we want to encode.

$$
\begin{bmatrix}
1 & \xi_1 & \xi_1^2 & \xi_1^3 \\
1 & \xi_3 & \xi_3^2 & \xi_3^3 \\
1 & \xi_5 & \xi_5^2 & \xi_5^3 \\
1 & \xi_7 & \xi_7^2 & \xi_7^3
\end{bmatrix}
\cdot
\begin{bmatrix}
a_1 \\
a_2 \\
a_3 \\
a_4
\end{bmatrix}
=\begin{bmatrix}
z_1 \\
z_2 \\
z_3 \\
z_4
\end{bmatrix}
$$

where $\xi_1 = \xi_M, \xi_3 = (\xi_M)^3, \xi_5 = (\xi_M)^5, \ldots$.

Therefore, we have that:

$\alpha = A^{-1}z$, and that $\sigma^{-1}(z) = \sum_{i=0}^{N-1} \alpha_i X^i \in \mathbb{C}[X]/(X^N + 1)$. 


#### $\sigma$:
To decode a polynomial $m(X)$ into a vector $z$, we evaluate on certain values, which will be the roots of $\Phi(M) = X^N + 1$, where the $N$ roots are $\xi, \xi^3, \ldots, \xi^{2N-1}$. 


### Encoding

For encoding, we aim to project a complex vector into the subspace:

$$
H = \{(z_j)_{j \in \mathbb{Z}^*_M} : z_j = z_{-j}\}.
$$

This is the $\pi^{-1}$ projection discussed in the original paper, where half of the entries are conjugates of the other half. We know that:

$$
\sigma(\mathcal{R}) \subseteq \mathbb{H} = \{ z \in \mathbb{C}^N : z_j = z_{-j} \}.
$$

The process involves the following steps:

1. **Multiplication with $\Delta$:**  
   We start by multiplying the vector with $\Delta$ to scale it appropriately.
   
2. **Projection using $\pi^{-1}$:**  
   The scaled vector is then projected using $\pi^{-1}$. This ensures that the resulting vector lies in $\mathbb{H}$.

3. **Coordinate-Wise Random Rounding:**  
   To project onto $\sigma(\mathcal{R})$, we use a technique called *coordinate-wise random rounding*. This is a method to discretize complex numbers in each coordinate independently while preserving certain statistical properties. For details, refer to [this paper](https://web.eecs.umich.edu/~cpeikert/pubs/toolkit.pdf).

    
   1. **Orthogonal $\mathbb{Z}$-Basis:**
   - The ring $\mathcal{R}$ has an orthogonal $\mathbb{Z}$-basis $\{1, X, \ldots, X^{N-1}\}$.
   - Since $\sigma$ is an isomorphism, $\sigma(\mathcal{R})$ has a corresponding orthogonal $\mathbb{Z}$-basis:
     $$
     \beta = \{b_1, b_2, \ldots, b_N\} = \{\sigma(1), \sigma(X), \ldots, \sigma(X^{N-1})\}.
     $$

    2. **Projection in the Basis:**
       - For any $z \in \mathbb{H}$, we can write:
         $$
         z = \sum_{i=1}^N z_i b_i,
         $$
         where $z_i$ are the coordinates of $z$ in the basis $\beta$. These coordinates are computed as:
         $$
         z_i = \frac{\langle z, b_i \rangle}{\|b_i\|^2} \in \mathbb{R}.
         $$
       - Here, $\langle x, y \rangle$ is the **Hermitian inner product**:
         $$
         \langle x, y \rangle = \sum_{k=1}^N x_k \overline{y_k},
         $$
         where $\overline{y_k}$ denotes the complex conjugate of $y_k$.
    
    3. **Rounding to Integers:**
       - Since the coordinates $z_i$ are real numbers (not integers), we apply **coordinate-wise random rounding**:
         - Each $z_i$ is rounded to either $\lfloor z_i \rfloor$ or $\lfloor z_i \rfloor + 1$.
         - The probability of rounding to $\lfloor z_i \rfloor + 1$ is proportional to the fractional part of $z_i$.
    
    4. **Reconstruction of $z$:**
       - Once we have the rounded coordinates $\{z_i\}$, we reconstruct $z$ using the basis $\beta$:
         $$
         z = \sum_{i=1}^N z_i b_i.
         $$
    


4. **Applying $\sigma^{-1}$:**  
   Finally, we apply $\sigma^{-1}$, as described earlier. This step outputs an element in $\mathbb{R}$, completing the encoding process.



### Decoding

For decoding, we work with a cyclotomic polynomial ring $\mathbb{Z}[X]/(X^N + 1)$ and aim to decode it to a vector $z \in \mathbb{C}^N$ such that:

$$
z = \pi \circ \sigma(\Delta^{-1} * m) \in \mathbb{C}^{N/2}.
$$

The decoding process involves the following steps:

1. **Scaling by $1 / \Delta$:**  
   Multiply the polynomial $m$ by the inverse of $\Delta$, i.e., $1 / \Delta$. This rescales the polynomial back to the correct domain.

2. **Applying $\sigma$:**  
   Next, apply $\sigma$, which maps the polynomial from $\mathbb{Z}[X]/(X^N + 1)$ to a complex vector in $\mathbb{C}^N$. This is explained in detail above.

3. **Projection to $\mathbb{C}^{N/2}$:**  
   The final step is to project the vector onto $\mathbb{C}^{N/2}$. Since the structure ensures that the second half of the array is the conjugate of the first half, this projection simply involves returning the first half of the array.





In [718]:
# code from https://colab.research.google.com/drive/1cdue90Fg_EB5cxxTYcv2_8_XxQnpnVWg?usp=sharing#scrollTo=qsDuOVro1H15

from math import sin,cos,pi
import numpy as np

class CKKSEncoder:
    """Basic CKKS encoder to encode complex vectors into polynomials."""
    
    def __init__(self, M: int, scale:float):
        """Initialization of the encoder for M a power of 2. 
        xi, which is an M-th root of unity will, be used as a basis for our computations.
        """
        self.xi = np.exp(2 * np.pi * 1j / M)
        self.M = M
        self.N = M // 2
        self.create_sigma_R_basis()
        self.scale = scale

    def vandermonde(self, xi: np.complex128, M: int) -> np.array:
        """Computes the Vandermonde matrix from a m-th root of unity."""
        
        N = M //2
        matrix = []
        # We will generate each row of the matrix
        for i in range(N):
            # For each row we select a different root
            root = xi ** (2 * i + 1)
            row = []

            # Then we store its powers
            for j in range(N):
                row.append(root ** j)
            matrix.append(row)
        return matrix

    def create_sigma_R_basis(self):
        """Creates the basis (sigma(1), sigma(X), ..., sigma(X** N-1))."""
    
        self.sigma_R_basis = np.array(self.vandermonde(self.xi, self.M)).T


    def pi(self, z: np.array) -> np.array:
        """Projects a vector of H into C^{N/2}."""
        
        N = self.M // 4
        return z[:N]


    def pi_inverse(self, z: np.array) -> np.array:
        """Expands a vector of C^{N/2} by expanding it with its
        complex conjugate."""
        
        z_conjugate = z[::-1]
        z_conjugate = [np.conjugate(x) for x in z_conjugate]
        return np.concatenate([z, z_conjugate])

    def compute_basis_coordinates(self, z):
        """Computes the coordinates of a vector with respect to the orthogonal lattice basis."""
        output = np.array([np.real(np.vdot(z, b) / np.vdot(b,b)) for b in self.sigma_R_basis])
        return output

    def round_coordinates(self, coordinates):
        """Gives the integral rest."""
        coordinates = coordinates - np.floor(coordinates)
        return coordinates
    
    def coordinate_wise_random_rounding(self, coordinates):
        """Rounds coordinates randonmly."""
        r = self.round_coordinates(coordinates)
        f = np.array([np.random.choice([c, c-1], 1, p=[1-c, c]) for c in r]).reshape(-1)
        
        rounded_coordinates = coordinates - f
        rounded_coordinates = [int(coeff) for coeff in rounded_coordinates]
        return rounded_coordinates
    
    def sigma_R_discretization(self, z):
        """Projects a vector on the lattice using coordinate wise random rounding."""
        coordinates = self.compute_basis_coordinates(z)
        
        rounded_coordinates = self.coordinate_wise_random_rounding(coordinates)
        y = np.matmul(self.sigma_R_basis.T, rounded_coordinates)
        return y

    def sigma_inverse(self, b: np.array) -> Polynomial:
        """Encodes the vector b in a polynomial using an M-th root of unity."""

        # First we create the Vandermonde matrix
        A = self.vandermonde(self.xi, self.M)

        # Then we solve the system
        coeffs = np.linalg.solve(A, b)

        # Finally we output the polynomial
        p = Polynomial(coeffs)
        return p

    def sigma(self, p: Polynomial) -> np.array:
        """Decodes a polynomial by applying it to the M-th roots of unity."""

        outputs = []
        N = self.M //2

        # We simply apply the polynomial on the roots
        for i in range(N):
            root = self.xi ** (2 * i + 1)
            output = p(root)
            outputs.append(output)
        return np.array(outputs)

    def decode(self, p: Polynomial) -> np.array:
        """Decodes a polynomial by removing the scale, 
        evaluating on the roots, and project it on C^(N/2)"""
        rescaled_p = p / self.scale
        z = self.sigma(rescaled_p)
        pi_z = self.pi(z)
        return pi_z

    def encode(self, z: np.array) -> Polynomial:
        """Encodes a vector by expanding it first to H,
        scale it, project it on the lattice of sigma(R), and performs
        sigma inverse.
        """
        pi_z = self.pi_inverse(z)
        scaled_pi_z = self.scale * pi_z
        rounded_scale_pi_zi = self.sigma_R_discretization(scaled_pi_z)
        p = self.sigma_inverse(rounded_scale_pi_zi)
        
        # We round it afterwards due to numerical imprecision
        coef = np.round(np.real(p.coef)).astype(int)
        p = Polynomial(coef)
        return p

    


 

In [1021]:
# TOY EXAMPLE FROM https://eprint.iacr.org/2016/421.pdf section 3.2

scale = 64
M = 8
encoder = CKKSEncoder(M, scale)
z = np.array([3 +4j, 2 - 1j])
encoded_pol = encoder.encode(z)
encoder.decode(encoded_pol)

array([2.99718446+3.99155337j, 2.00281554-1.00844663j])

In [1137]:
# code from https://github.com/AI-Tech-Research-Lab/Introduction-to-BFV-HE-ML/blob/main/BFV_theory/BFV_theory.ipynb

def Poly(coeffs):
    """
    Helper function to build polynomials, passing a dictionary of coefficients.
    For example, passing {0: 1, 1: -2, 2: 2} returns the polynomial
    2X**2 - 2X + 1
    """
    max_power = max(coeffs.keys())
    _coeffs = np.zeros(max_power + 1)
     
    for i, c in coeffs.items():
        _coeffs[i] = c
        
    return Polynomial(_coeffs)

def pr(p):
    """ 
    Helper function to pretty-print the polynomials, with human order
    of powers, removed trailing .0, etc.
    """
    coefs = p.coef
    res = ""
    
    powers = range(len(coefs)-1, -1, -1)
    for power, coeff in zip(powers, reversed(coefs)):
        if coeff == 0:
            continue
        
        if int(coeff) == coeff:
            coeff = int(coeff)
                  
        sign = "- " if coeff < 0 else "+ "
        
        if power == 0:
            value = abs(coeff)
        elif abs(coeff) != 1:
            value = abs(coeff)
        else:
            value = ""

        power_sign = {0: "", 1: "X"}
        def_power_sign = f"X**{power}"
        
        res += f" {sign}{value}{power_sign.get(power, def_power_sign)}"
        
    if res[1] == "+":
        return res[3:]
    if res[1] == "-":
        return res[1:]

def mod_on_coefficients(polynomial, modulo):
    """
    Apply the modulo on the coefficients of a polynomial.
    """
    coefs = polynomial.coef
    mod_coefs = []
    for c in coefs:
        mod_coefs.append(c % modulo)
        
    return Polynomial(mod_coefs)

def round_on_nearest_integer(polynomial):
    """
    Round the coefficients of a polynomial to the
    nearest integer.
    """
    coefs = polynomial.coef
    round_coefs = []
    for c in coefs:
        round_coefs.append(round(c))
    
    return Polynomial(round_coefs)


def reduce_polynomial(polynomial, cyclotomic_polynomial, q):
    """
    Reduce a polynomial modulo a cyclotomic polynomial and a modulus.
    """
    remainder = divmod(polynomial, polynomial_modulus)[1] # polynomial modulo cyclotomic polynomial -> get the remainder
    return mod_on_coefficients(remainder, q) # perfrom mod operation on coefficients


In [919]:
import random

def secret_key_pol(M, h):

    s = {}
    non_zero_indices = random.sample(range(M), h)
    
    # Assign ±1 randomly to the selected positions
    for idx in non_zero_indices:
        s[idx] = random.choice([-1, 1])
    
    return Poly(s)
    

In [925]:
def create_error_pol(M, sigma, mu):
    e = np.random.normal(mu, sigma, M)
    e_map = {}
    for i in range(len(e)):
        e_map[i] = round(e[i])
    
    return Poly(e_map)
    

In [1150]:
def sample_pol(M, modulous):
    coeffs = {}
    for i in range(M):
        c = np.random.randint(0, modulous)
        coeffs[i] = c
    return Poly(coeffs)
    

In [1311]:
delta = 64
M = 32
N = M // 2 # degree of the polynomial, also a power of 2
polynomial_modulus = Poly({0: 1, N: 1})
h = 5 # the number of non zero coefficients
L = 3 # ciphertext level -> decreases as the computation progresses
q0 = delta << 2 # base modulous, q
qL = q0 * delta**L

mu = 0
sigma = 3.2
p = 7


s = secret_key_pol(N, h) # secret key
a = sample_pol(N, q)
e = create_error_pol(N, sigma, mu)

b = (-a*s)+e
b = reduce_polynomial(b, polynomial_modulus, qL)

# public key
pk = (b, a)

# Evaluation key generation
a_prime = sample_pol(N, qL*p)
e_prime = create_error_pol(N, sigma, mu)

b_prime = (-a_prime*s)+e_prime+p*(s**2)
b_prime = reduce_polynomial(b_prime, polynomial_modulus, qL*p)

eval_key = (b_prime, a_prime)

In [1301]:
e1 = create_error_pol(N, sigma, mu)
e2 = create_error_pol(N, sigma, mu)
coeffs = {}

for i in range(0, N):
    coeffs[i] = np.random.randint(-1, 2)
    
v = Poly(coeffs)
print(f"e_1: {pr(e_1)}\n")
print(f"e_2: {pr(e_2)}\n")
print(f"v: {pr(u)}\n")

e_1: - 4X**15 - 5X**14 + 3X**12 - 4X**11 - 2X**10 + X**9 + 2X**8 + 9X**7 + 6X**6 + 4X**5 + 3X**4 + 7X**3 - 4X**2 - 3X - 3

e_2: - 3X**15 - 7X**14 + 2X**13 - 3X**12 - X**10 + 2X**9 + 5X**8 - 3X**7 + 6X**6 + 7X**5 - X**4 - 2X**3 + 7X**2 + X - 3

v: X**15 + X**14 + X**13 - X**12 - X**10 + X**8 + X**7 + X**6 - X**4 + X**3 + X**2 + X



In [1306]:
# m = Poly({0: 1, 1: 1, 2: 1})
m = Poly({0: 160, 1: 91, 2: 160, 3:45})
ck0 = v*pk[0] + e1 + m
ck0 = divmod(ck0, polynomial_modulus)[1]
ck0 = mod_on_coefficients(ck0, qL)
ck1 = v*pk[1] + e2
ck1 = divmod(ck0, polynomial_modulus)[1]
ck1 = mod_on_coefficients(ck1, qL)
ciphertext = (ck0, ck1)
print(pr(ck0), pr(ck1))

1115X**15 + 67105203X**14 + 67102741X**13 + 67103726X**12 + 67102102X**11 + 67103710X**10 + 67108502X**9 + 67108226X**8 + 4878X**7 + 1659X**6 + 4828X**5 + 2666X**4 + 1382X**3 + 67108433X**2 + 67108166X + 67107703 1115X**15 + 67105203X**14 + 67102741X**13 + 67103726X**12 + 67102102X**11 + 67103710X**10 + 67108502X**9 + 67108226X**8 + 4878X**7 + 1659X**6 + 4828X**5 + 2666X**4 + 1382X**3 + 67108433X**2 + 67108166X + 67107703


In [1310]:
plaintext = ciphertext[1] * s + ciphertext[0]
plaintext = divmod(decrypt, polynomial_modulus)[1]
plaintext = mod_on_coefficients(plaintext, qL)
print(plaintext, m)

6.0 + 0.0·x + 6.0·x² + 3.0·x³ 160.0 + 91.0·x + 160.0·x² + 45.0·x³


In [1299]:
# ct0 = pk[0] * v + e1 + floor((qL/p)) * m
# ct0 = divmod(ct0, polynomial_modulus)[1]
# ct0 = mod_on_coefficients(ct0, qL)

# ct1 = pk[1] * v + e2
# ct1 = divmod(ct1, polynomial_modulus)[1]
# ct1 = mod_on_coefficients(ct1, qL)

# print(f"Ciphertext: {pr(ct0)}, {pr(ct1)}")

# decrypt = ct1 * s + ct0
# decrypt = divmod(decrypt, polynomial_modulus)[1]
# decrypt = mod_on_coefficients(decrypt, qL)

# print(f"Scaled plaintext + errors: {pr(decrypt)}")

# decrypt = decrypt * p/qL
# print(f"De-scaled plaintext plus errors: {pr(decrypt)}")

# decrypt = round_on_nearest_integer(decrypt)
# decrypt = mod_on_coefficients(decrypt, p)

# print(f"Plain starting message: {pr(m)}")
# print(f"Final decryption result: {pr(decrypt)}")

Ciphertext: 2471X**15 + 67105381X**14 + 67104614X**13 + 67108526X**12 + 67105246X**11 + 67108437X**10 + 1994X**9 + 67107450X**8 + 3114X**7 + 4904X**6 + 67106770X**5 + 67108645X**4 + 28761543X**3 + 57515449X**2 + 67107543X + 57521314, 451X**15 + 67108466X**14 + 1174X**13 + 1975X**12 + 67108580X**11 + 67107879X**10 + 67108741X**9 + 67106944X**8 + 67106537X**7 + 781X**6 + 572X**5 + 276X**4 + 2507X**3 + 1556X**2 + 525X + 865
Scaled plaintext + errors: 11X**15 + 3X**14 + 67108853X**13 + 16X**12 + 20X**11 + 67108860X**10 + 7X**9 + 67108858X**8 + 67108841X**7 + 67108861X**6 + 3X**5 + 28760919X**3 + 57521793X**2 + 67108812X + 57521809
De-scaled plaintext plus errors: 1.1473894119262695e-06X**15 + 3.129243850708008e-07X**14 + 6.999998852610588X**13 + 1.6689300537109375e-06X**12 + 2.086162567138672e-06X**11 + 6.999999582767487X**10 + 7.301568984985352e-07X**9 + 6.99999937415123X**8 + 6.999997600913048X**7 + 6.999999687075615X**6 + 3.129243850708008e-07X**5 + 2.99999763071537X**3 + 5.999990567564

In [868]:
# EXAMPLE

import numpy as np
from numpy.polynomial import Polynomial
from sympy import ntt

M = 8
N = M // 2



def sigma(p: Polynomial, xi) -> np.array:
    """Decodes a polynomial by applying it to the M-th roots of unity."""

    outputs = []
    N = 4

    # We simply apply the polynomial on the roots
    for i in range(N):
        root = xi ** (2*i + 1)
        output = p(root)
        outputs.append(output)
    return np.array(outputs)

# # pol = np.array([2.5+4.440892098500626e-16j,-4.996003610813204e-16+0.7071067811865479j,-3.4694469519536176e-16+0.5000000000000003j, -8.326672684688674e-16+0.7071067811865472j])

# prime = 5

encoder = CKKSEncoder(M)

# print(pol)
xi = np.exp(-2 * np.pi * 1j / M)
pol = np.array([2.5, 1.421875, 2.5, 0.703125])
print(encoder.fft(pol, xi))

# transform = np.fft.fft(pol)
# print ("FFT : ", transform)

# pol = Polynomial([2.5, 1.421875, 2.5, 0.703125])
# xi = np.exp(-2 * np.pi * 1j / M)
# res = sigma(pol, xi)
# print("new: ", res)


# p = encoder.sigma_inverse(b)
# p
# b_reconstructed = encoder.sigma(p)
# b


# encoder.ifft(pol)




TypeError: CKKSEncoder.__init__() missing 1 required positional argument: 'scale'

In [286]:
# M = 8
# N = M // 2


# # b = np.array([1, 2, 3, 4])

# delta = 64

# # input vector
# inp = np.array([3+4j, 2-1j])


# # append the conjugate since N=4
# inp = encoder.pi_inverse(inp)

# # scaling 
# inp = inp * delta



# # p = encoder.ifft(inp)
# # print(p)
# # np.dot(delta, p)



# # p
# # xi = np.exp(2 * np.pi * 1j / N)
# # d = encoder.fft(p, xi)
# # d

In [377]:
def bitReverse(vals, size):
    """Rearrange elements of vals based on bit-reversed indices."""
    j = 0
    for i in range(1, size):
        bit = size >> 1
        while j >= bit:
            j -= bit
            bit >>= 1
        j += bit
        if i < j:
            vals[i], vals[j] = vals[j], vals[i]
 

In [353]:
def scale_down_to_real(x, logp):
    """
    Scale down a large integer `x` by reducing its precision by `logp`.

    Parameters:
        x (int): The large integer value to scale down.
        logp (int): The logarithm of the precision to scale down by.

    Returns:
        float: The scaled-down floating-point value.
    """
    from decimal import Decimal  # For handling large numbers precisely

    xp = Decimal(x)  # Convert the integer to a high-precision decimal
    xp /= Decimal(2 ** logp)  # Scale down by shifting `logp` bits
    return float(xp)  # Convert back to a double (floating-point)


In [465]:
from decimal import Decimal  # For handling large numbers precisely
def scale_up_to_zz(x, logp):
    """
    Scales up a floating-point value x by left-shifting it by logp.
    
    Parameters:
        x (float): The input floating-point value.
        logp (int): The power of 2 for scaling (precision).
    
    Returns:
        int: The scaled-up integer value.
    """
    # Convert x to high precision using Decimal for better accuracy
    scaled_value = Decimal(x) * (2 ** logp)
    
    # Convert to integer and return
    return int(scaled_value)

In [429]:
import random

def random_complex_array(size, bound=1.0):
    """
    Generates an array of random complex numbers with real and imaginary parts 
    in the range (0, bound).
    
    Parameters:
        size (int): Number of complex numbers to generate.
        bound (float): Upper bound for the real and imaginary parts (default: 1.0).
    
    Returns:
        list of complex: An array of random complex numbers.
    """
    return [complex(random.uniform(0, bound), random.uniform(0, bound)) for _ in range(size)]


In [663]:
class Enc:
    def __init__(self, logN, logQ):
        self.N = 1 << logN # N is a power-of-two that corresponds to the ring Z[X]/(X^N + 1)
        self.Nh = self.N >> 1 # Nh = N / 2
        self.logHh = logN - 1 # logHn = logN - 1
        self.M = self.N << 1
        self.logQQ = logQ << 1 # logQQ = log of PQ
        self.Q = 2**(logQ) # the highest modulous
        self.QQ = 2**(self.logQQ) # PQ = Q*Q
        self.rotGroups = []
        self.ksiPows = []

        fivePows = 1
        for i in range(self.Nh):
            self.rotGroups.append(fivePows)
            fivePows *= 5
            fivePows %= self.M

        for j in range(self.M):
            angle = 2.0 * np.pi * 1j / self.M
            self.ksiPows.append(np.exp(1j * angle))

        self.ksiPows.append(self.ksiPows[0]) # Mth element

    
    def fftSpecial(self, vals):
        siz = len(vals)
        
        bitReverse(vals, siz)
    
        len_ = 2
        i = 0
        while len_ <= siz:
            while i  < siz:
                lenh = len_ >> 1
                lenq = len_ << 2
                for j in range(lenh):
                    idx = ((self.rotGroups[j] % lenq)) * self.M // lenq
                    u = vals[i + j]
                    v = vals[i + j + lenh] * self.ksiPows[idx]
                    vals[i+j] = u + v
                    vals[i+j+lenh] = u-v

                i += len_
            len_ <<= 1
                    
        return vals

    def fftSpecialInvLazy(self, vals):
        
        siz = len(vals) 
        i = 0
        len_ = siz
        while len_ >= 1:
            while i < siz:
                lenh = len_ >> 1
                lenq = len_ << 2
                gap = self.M // lenq
                j = 0
                while j < lenh:
                    idx = (lenq - (self.rotGroups[j] % lenq)) * gap
                    u = vals[i+j] + vals[i+j+lenh]
                    v = vals[i+j] - vals[i+j+lenh]
                    v *= self.ksiPows[idx]
                    vals[i+j] = u
                    vals[i+j+lenh] = v
                    j+=1
                i += len_
            len_ >>= 1
        
        bitReverse(vals, siz)
        

    def fftSpecialInv(self, vals):
        self.fftSpecialInvLazy(vals)
        siz_ = len(vals)
        for i in range(siz_):
            vals[i] /= siz_
        
    
    def decode(self, mx, slots, logp, logq):
        q = 2**(logq)
        gap = self.Nh / slots
        idx = 0
        res = [0] * slots  # Initialize the result array

        # print(self.Nh, slots)

        # print("gap", gap)
        
        for i in range(slots):
            idx = int(i * gap)
            tmp = mx[idx] % q
        
            if tmp.bit_length() == logq:  # Check NumBits(tmp) == logq
                tmp -= q

            real_part = scale_down_to_real(tmp, logp)

            tmp = mx[idx + Nh] % q  # rem(tmp, mx[idx + Nh], q)
            if tmp.bit_length() == logq:  # Check NumBits(tmp) == logq
                tmp -= q
            imag_part = scale_down_to_real(tmp, logp)

            res[i] = complex(real_part, imag_part)

        
        return self.fftSpecial(res)
        # return self.fftSpecial(mx)

    # logp + logQ
    def encode(self, vals, slots, logp):

        uvals = vals[:slots] + [0] * (slots - len(vals))
        
        self.fftSpecialInv(uvals)
        print(uvals)
        
        mx = [0] * self.N
        gap = self.Nh // slots

        idx = 0
        jdx = self.Nh
        for i in range(slots):
            idx = i * gap
            
            # Real and imaginary parts
            
            mx[idx] = scale_up_to_zz(uvals[i].real, logp)
            mx[jdx] = scale_up_to_zz(uvals[i].imag, logp)

            idx += gap
            jdx += gap
        
        
        return mx
        
        
            
    

In [664]:
# mx = np.array([160, 91, 160, 45])


logN = 2  # N = 4
logQ = 6  # Q = 2^65
logp = 30  # Precision of scaling
slots = 1 << logN


bound = 1.0
# random_array = random_complex_array(slots, bound)

random_array = [complex(3+4j), complex(2-1j), complex(3-4j), complex(2+1j)]

# print(random_array)


enc = Enc(logN, logQ)
print(enc.Nh)
enc.encode(random_array, slots, logp)

# enc.decode(encoded, slots, logp, logQ)



# Mock the mx array (encoded data)
# mx is of size Nh = N / 2, containing values encoded in frequency domain



# decoded_data = enc.decode(mx, slots, logp, logq)

# print("Decoded Data:")
# for i, val in enumerate(decoded_data):
    # print(f"Slot {i}: {val}")

2
[(1.5+0j), np.complex128(0.9118762555319925j), (1+0j), np.complex128(-0.22796906388299812j)]


[0, 0, -244779918, 0]